All products featured on WIRED are independently selected by our editors. However, we may receive compensation from retailers and/or from purchases of products through these links.
After the stream of Internet Explorer bug announcements made Microsoft security-bashing a common media activity this spring, the software giant announced its fix at the computer industry's own media spectacle, Spring Comdex.
In his keynote speech in Atlanta Tuesday, Microsoft chief Bill Gates outlined a plan that includes several enhancements - all separate components, including an online "security check-up quiz" - the majority of which will be a part of the next release of Internet Explorer. Some of the new Microsoft features have already been available in rival Netscape's Communicator browser, but the announcement does include a new idea the company calls "Security Zones."
Microsoft's Cornelius Willis calls the Security Zones the biggest shift in Microsoft's security thinking, in which both the Internet and intranets are filtered into four default Zones: Intranet, Trusted Extranet, General Internet, and Untrusted. For each Zone, different security levels can then be applied according to what a network administrator deems appropriate. In addition, an administrator can create additional Zones.
This last option will allow Internet Explorer to restrict the information that comes from arbitrary portions of the Net or, as Willis puts it, "To allow trusted relationships with certain sites."
The idea, Willis says, is to prevent "authorization fatigue," where a user is bombarded with security dialog boxes that are presented in online sessions. Microsoft's usability testing revealed that the average user experienced this after only one or two dialog boxes, so this was an attempt to keep it simple.
"What that means is that not using the safety features in the browser is analogous to not using your seat belt in a car," Willis says. "So what we're trying to do with the zones feature is to give users some easy ways to be safe, so they're not buckling their seat belt in 65 different places. They just have one 'seat belt,' and the browser makes it easy for them to use the Internet safely - as opposed to difficult, which is where we are now."
Microsoft's other enhancements are more mundane, including increased certificate management to control whose Java applets and ActiveX controls are run, additional Java security by way of Capabilities-Based Security for Java, and an upgrade to the 2.0 version of their Authenticode code-signing architecture for software developers.
Elias Levy, an active security expert and monitor of the security mail-list BugTraq, thinks the plan is a nice extension to Internet Explorer but that it's nothing earth-shattering. "Netscape already has capability-based Java security," he said.
Shirley March, senior security product manager at Netscape, refused to compare her company's Java security features with those of Microsoft. "I think that the Netscape Object Signing Protocol really stands on its own, and a comparison isn't really appropriate," she said.
Nonetheless, the similarity between what Microsoft has promised and what Netscape already includes is clear.
Netscape Object Signing Protocol identifies the signing of Java applets and Capabilities-Based Java allows Java applets to operate outside of Sun's restricted "sandbox" user space - the area deemed to be secure. As with Microsoft's proposed security zones, a user can operate outside of the Java Virtual Machine's sandbox to perform operating system-level functions, such as writing to disks. But in so doing, users take it upon themselves to determine whether an applet is safe to run.
While Levy notes that a number of security improvements have been made with this Microsoft release, the ability to define the Net - including servers that do not provide some form of secure authentication - into Zones concerns him.
"If the hosts you add to Zone will be strongly authenticated using certificates, I think this is not a bad idea. But if all it takes is to simply add a hostname to a list this may be bad," he said, noting holes in nameserver software that could give crackers a way to spoof servers and gain control of the machines of unwitting users.
Levy cites an example where User A adds host trusted.com to the list of hosts to give complete trust. If crackers know this information, they can poison the nameserver cache for User A's domain and point the domain name trusted.com to their machines. The next time User A visits the trusted.com Web site, the user will connect to the crackers' sites, giving them full access to run Active X and Java programs on User A's browser.
